Information security and risk management teams for healthcare entities have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks facing the modern healthcare ecosystem.

Meditology’s Enterprise Risk Reporting services for healthcare entities leverages leading practices from premier healthcare organizations to enhance visibility, informed decision making, and accountability for managing enterprise risk.

Security and compliance leaders often struggle to answer fundamental enterprise risk questions from the business such as:

  • What are our highest priority risks?
  • What budget should be allocated for security and compliance?
  • Should the business fund this project or that project?
  • How much will we reduce risk if we take this or that action?
  • How do we know that our prior investments have reduced our risk?


Make Visible

Gathering data and organizing it to provide clear risk information tailored to the audience

2 Facilitate

Providing structure that allows risk, control, and business owners to make risk management decisions based on timely risk information

3 Drive Accountability

Enabling decision owners to manage accountability through reporting, monitoring, and validating results


  • Meditology has extensive experience advising healthcare security, risk, and compliance teams in the development and maturity of risk management reporting models

  • We have advised security leaders, boards, and audit committees for multi-billion-dollar health systems on information security and risk reporting and have a proven model that can be tailored to your environment

  • We tailor our model and metrics to your organization’s specific technical, cultural, and communication requirements

  • Our team has worked with many large healthcare clients to develop and implement risk management programs from the ground up

  • We have experience integrating risk reporting processes with leading BI and GRC platforms

  • We service the healthcare industry exclusively and understand how to position information security and risk information to drive meaningful risk reduction for the business


7 Step Infographic
  • Designed and built from industry-leading risk reporting models and standards from the nation’s premier healthcare organizations
  • Communicates risk information in terms that the business can understand
  • Aligned with industry standard risk reporting and security controls models including FAIR, ISO, NIST, COBIT, CVSS, and HITRUST
  • Establishes clear links between executive, strategic, and operational reporting levels
  • Collects and reports risk information in a way that is operationally feasible and appropriate for the organization
  • 3 Provides the processes, tools, templates, and dashboards that present a visual picture of risk
  • Gathers and organizes data that provides a clear picture of risk tailored to target stakeholder groups
  • Promotes stakeholder accountability through reporting, ongoing monitoring, and validation of results
  • Identifies target strategic risk outcomes, is adjustable year over year to align with maturing targets, and drives metrics to help move specific remediation initiatives forward
  • Leverages Business Intelligence (BI) reporting and GRC capabilities and automation to capture and report metrics in a consistent, repeatable, and scalable manner
  • Reports on technical, management, and operational controls to maintain alignment with business objectives and regulatory compliance requirements including HIPAA, HITECH, PCI, and other regulations and standards
Quote Icon

We chose Meditology mainly for their demonstrated knowledge and understanding of HIPAA, ARRA/HITECH and established security standards.

They were unfailingly professional throughout the information gathering and data gathering processes, kept to their timeline and verified the results that they found. The reports produced were accurate and easy to understand, with appropriate benchmarking to other health care organizations and the security industry as a whole. Most importantly, they provided concrete and achievable suggestions to help mitigate the risks identified.

Barbara Anson

CISO, Baptist Memorial Health Care Corporation of Memphis, TN

It was vitally important that I had a complete sense of confidence in Meditology’s ability to successfully deliver this project without impacting clinical care.

As I learned more about Meditology’s deep technical skills and multiple prior experiences working in healthcare environments similar in size and complexity to Grady, my sense of confidence in Meditology grew. The project was delivered on-time and on-budget, and exceeded my expectations based on the thoroughness and care of the approach, and the quality of the reporting. Meditology was able to achieve each of the engagement objectives, and their report provided a comprehensive picture of Grady’s security posture. I plan to work with Meditology in the future and look forward to similar success.

Michael Francis
Executive Director, Infrastructure Services & ISSO, Grady Health System, Georgia

Quote Icon

Throughout the readiness process, Meditology Services provided templates and recommendations for changes needed to meet HITRUST requirements.

As a provider of data analytics to health plans, it is essential that our firm demonstrate the highest levels of data security for our clients. We set a goal to achieve certification on the HITRUST security framework and sought out Meditology Services as a third-party security assessor to assist us. Throughout the readiness process, Meditology Services provided templates and recommendations for changes needed to meet HITRUST requirements. Their guidance, knowledge and professionalism was essential to our successful HITRUST certification. We are thrilled with their team and resources and look to leverage them for our future HITRUST assessments as well.

Matt Siwickie

Chief Information Security Officer, NextHealth Technologies

. . . . . . . . . . .

We engaged Meditology to assist us with Security Risk Assessment services on two different occasions.

They were highly knowledgeable and extremely professional throughout the duration of each project, and the quality of the final deliverables they provided was exceptional. Meditology’s healthcare focus and core competency of Information Security and Privacy were indispensable to the engagement. Their deep knowledge of the HIPAA and HITECH regulations, as well as the Common Security Framework and supplemented by industry operational experience of their team members, added huge value to the assessment. Meditology was able to address significant risk areas in a straightforward manner and was able to provide practical examples and insight on how to go about correcting issues. We will definitely call upon Meditology again when the need arises.

Martin Littmann
Chief Technology Officer & CISO, Kelsey-Seybold Clinic

Onsite Health Diagnostics has relied on Meditology Services for HIPAA security risk assessment and penetration testing since 2014.

Meditology’s information security services have provided OHD’s customers and business partners with confidence in the seriousness with which we take the our responsibility to protecting their highly sensitive data. We have been more than pleased with Meditology’s professionalism, diligence and responsiveness, and we look forward to working with them for years to come. Since our founding, OHD has been dedicated to exceptional client service, providing stress-free employee health screenings and workforce health data analytics. Our clients, who include Fortune 500 corporations, hospital systems, financial institutions, state & local governments and small businesses alike, rely on OHD’s commitment to privacy and security when it comes to their employee health data.

Kyle Alexander
CEO, Onsite Health Diagnostics

. . . . . . . . . . .

Service LinesHIPAA & OCR Compliance, Security & Privacy Risk Assessments, Technical Security Testing & Ethical Hacking